What service principal name for the host object does QAS look for in Active Directory?
The service principal name (SPN) for the computer object can be confirmed by checking out the keytab or what is in the misc cache for computerFQDN.
# /opt/quest/bin/vastool ktutil list
Vno Type Principal
2 arcfour-hmac-md5 host/rhl.qmxlab.com@QMXLAB.COM
2 arcfour-hmac-md5 RHL$@QMXLAB.COM
2 arcfour-hmac-md5 cifs/rhl.qmxlab.com@QMXLAB.COM
# /opt/quest/libexec/vas/sqlite3 /var/opt/quest/vas/vasd/vas_misc.vdb select * from misc | grep computer
Hence, this is what the SPN of the computer object should be in AD, in the above instance:
When QAS is authenticating a user for access onto the machine, it will use the FQDN (Fully Qualified Domain Name) as its service name when requesting the users service ticket. If the SPN does not exist in AD then the authetntication will fail with Service Principal Unknown.